Glass Class - A Cloud Health Checkup

Glass Class - A Cloud Health Checkup

Video Transcript

Hi, and welcome to Glass Class. Today we'll be talking about HIPAA compliance and why healthcare organizations really need to be thinking about how their cloud applications and HIPAA are going to interact.

For organizations in the healthcare space, whether you're a hospital, a hospital system, or some associate that deals with protected health information in some way, you need to be thinking about these four rules, the rules of HIPAA compliance, and how they apply to data that's stored in cloud applications like Office 365, Salesforce, G Suite, or really any cloud application that your employees touch and handle patient data in. So, these four rules are the Privacy Rule, the Breach Notification Rule, the Enforcement Rule, and the Security Rule.

The Privacy Rule is “What can you do with that data?” “What can you do with that protected health information?” And there are some very specific things around how you can share that information and what it can be used for. That's something that you really need to consider when applying some of these policies organization-wide on how data can be accessed from your cloud applications.

Then we've got the Breach Notification Rule. You need to know when a breach happens and you need to alert the Department of Health and Human Services (and alert the patients and clients that the data belongs to) within sixty days of being made aware of a breach. So, having a tool in place that lets you identify a breach as soon as it happens, and making sure that you can be in compliance with that rule, is absolutely critical.

Then you've got the Enforcement Rule. It’s not really a rule explicitly stated in the HIPAA regulation, but it basically lays out the fines and criminal penalties that may be applied if you are not in compliance with the other rules.

And then, of course, there's the Security Rule. What security tools and policies do you need to have around the data itself in an application like Office 365? These are a few key controls that are laid out in the HIPAA regulation that you really need to have in place: access controls, audit controls, integrity controls, and transmission security.

In terms of access controls, make sure that the folks who have the access to the data are who they say they are - make sure that you have controlled access so that an outsider can't access some of that protected health information. For audit controls, make sure that you have that audit and logging capability across all your cloud applications, so you know where they're going and how they're being used. Integrity controls - make sure the data isn't modified in some way. Cloud applications oftentimes have capabilities that get at these integrity controls without a third party solution - versions, for example, in an application like G Suite. And then there’s transmission security. It’s making sure that everything that's going back and forth between cloud applications and your endpoints is secured. If you have these four capabilities in place, you're in compliance with the Security Rule.

All of these rules together are important to look at from a distance. Understand your security posture and understand how your cloud applications are going to work as you try to deploy those applications to all of your employees and remain in compliance with this critical regulation in the healthcare space.